For the NOPASSWD option, I found that using !authenticate in the sudo option
is what IPA wants instead.

Advertising

$ ipa sudorule-add-option readfiles
Sudo Option: !authenticate
-----------------------------------------------------
Added option "!authenticate" to Sudo rule "readfiles"
-----------------------------------------------------
From: Dmitri Pal <d...@redhat.com<mailto:d...@redhat.com>>
Organization: Red Hat
Reply-To: "d...@redhat.com<mailto:d...@redhat.com>"
<d...@redhat.com<mailto:d...@redhat.com>>
Date: Tuesday, May 12, 2015 at 5:32 PM
To: "freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>"
<freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>>
Subject: Re: [Freeipa-users] Allow user or group to switch user without
password and not becoming root
On 05/12/2015 04:44 PM, Andrey Ptashnik wrote:
Hello Team,
We have RHEL 7.1 and IPA server 4.1.0 in our environment as well as stack of
Oracle software that require existence of local passwordless users like
weblogic and oracle.
Users log in to servers via domain accounts at IPA server.
I’m trying to configure Sudo policy in IPA server that will allow users in the
company to log in to servers in IPA domain and switch to weblogic or oracle
user without having to enter any passwords, but also without increasing their
privileges to root.
Using plain /etc/sudoers file it can be accomplished something like below:
%users ALL = (root)
Users will be who of the IPA sudo rule
NOPASSWD:
This will be an option that you would put into the sudo rule
/bin/su – oracle
This will be the command. You create a command and then reference it in the
rule.
At least this is what I would try.
How can I configure this behavior in IPA server?
Regards,
Andrey
--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.